I could have sworn I filed a patch for this somewhere a long time ago, but maybe I didn't.
The shortcut_set_title() function, which is a title callback for the page for editing a shortcut set, runs check_plain() on the title. This isn't necessary, though, since the menu system already sanitizes titles for us. So the result is that the title is double-escaped.
In theory this should be backported to D7 also, but I'm not sure we should due to the security implications (in case other code out there is calling this function in places where it really does need to be escaped).
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | shortcut-set-title-1363358-6.patch | 1.8 KB | David_Rothstein |
| shortcut-set-title-check-plain.patch | 438 bytes | David_Rothstein |
Comments
Comment #1
aspilicious commentedRTBC for D8
Comment #2
dries commentedDo we even need that helper function?
Comment #3
David_Rothstein commentedCurrently it's a separate function because it's used as a menu item title callback.
It could probably be removed and the page title set via drupal_set_title(), but I thought that was not considered best practice (harder to alter, etc)...
Comment #4
xjmYeah, using
drupal_set_title()directly causes a few problems, so I think having the title callback is good.Comment #5
catchYeah if anything we should work towards deprecating drupal_set_title(), it has similar problems compared to drupal_add_css() vs. #attached. Committed/pushed to 8.x.
Comment #6
David_Rothstein commentedActually, here's a safe way to backport this to Drupal 7.
Comment #7
xjm#6: shortcut-set-title-1363358-6.patch queued for re-testing.
Comment #8
xjmThe backport looks safe to me.
Comment #9
David_Rothstein commentedThanks for the review! Committed to 7.x - http://drupalcode.org/project/drupal.git/commit/ca06374
Comment #10
David_Rothstein commentedActually I just realized the end result of this issue is that we need a change notification for Drupal 8. I created one at http://drupal.org/node/1762604
Comment #12
David_Rothstein commentedDrupal 7.16 was a security release only, so this issue is now scheduled for Drupal 7.17 instead.
Fixing tags accordingly.
Comment #13
liam morlandThis might be caused by #2011918: Titles are often double-escaped (including in the content attribute of the dc:title meta element for nodes).